Medical Device Cybersecurity: US Requirements
- Establish design inputs for their device related to cybersecurity
- Establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis – required by 21 CFR 820.30(g)
- Approach addresses:
- Identification of assets, threats, and vulnerabilities;
- Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
- Assessment of the likelihood of a threat and of a vulnerability being exploited;
- Determination of risk levels and suitable mitigation strategies;
- Assessment of residual risk and risk acceptance criteria.